Quick Links
openSUSE Forums
»
Howto: Really Quick Personal Firewall On A Linux Host In A Simple Samb
|
||||||
| Forums FAQ | Members List | Search | Today's Posts | Mark Forums Read |
| ARCHIVES - HowTos Discussions Have any questions about any HowTo found at the wiki? Post in here! |
|
|
|
LinkBack | Thread Tools | Display Modes |
03-Dec-2006, 01:48
|
|||
|
|||
HowTo Title: Really Quick Personal Firewall on a Linux host in a Simple Samba LAN
It took me six frustrating months to get this working (of course, not full time – I do have other interests). This Forum and allied forums are littered with terrific, necessary advice, and alternatives, and "I do it this way" snippets and so on. That's great stuff but I just couldn't find a Here's-how-to-do-it start-to-end and why thing. So when I did finally understand and did finally get a sweet little workgroup humming I decided to write it up for others. But YOUR COMMENTS PLEASE: I'm a new bee and this area is not my forte. So please give constructive criticism. I could very easily have missed something or got something wrong. And I would like to get this work-in-progress right for others. Summary: This HowTo uses iptables in Suse 10.0, 10.1 to set up a personal firewall, i.e. a firewall on an individual host/workstation. The method is to edit the file /etc/sysconfig/SuSEfirewall2 to permit the ports that Samba uses Thanks Cheers Swerdna |
|
03-Dec-2006, 14:03
|
|||
|
|||
|
i post in the thread the link to the tutorial it refers to, just in case someone does not know where to get it:
http://wiki.suselinuxsupport.de/wikka.php?...lLinuxHostSamba thanks Swerdna  |
|
03-Dec-2006, 14:47
|
|||
|
|||
|
to the Note 1 (Swerdna's howto) I would add that one does not need to keep both tcp139 and tcp445 open. Close either tcp139 or tcp445
Default is 139 but with w2k or up only tcp445 can be used in smb.conf add smb ports = 139 or smb ports = 445 also close either on windows box (registry edition required) for properly working simple samba configuration on home LAN only tcp 139 is worth keeping open (easier to administer) |
|
03-Dec-2006, 20:07
|
|||
|
|||
|
Quote:
If NBT in win2K/XP is left alone (i.e. enabled by default) then win simultaneously looks on 139 & 445. Win2K/XP will contitnue its session in cascading style with 445 first, 139 next. NBT is at the heart of the samba soho LAN so there is NO CASE for including 445 there - particularly from the admin viewpoint. Consequently you would put "smb ports = 139" in smb.conf if only to cut out one of the defaults (viz: 445). You would also leave 445 out of the iptables allowed ports (so as not to complicate things) and in the 2K/XP allowed ports you would not-include 445. But what about Vista? Well it supports NBT for old times sake and from what I read it uses the same ports. So all I need to do is load it as a VMware guest and confirm it works to these rules. OK, given that reasoning, I propose to change the HowTo so it opens only 139 of the the 139,445 pair, add a note as to why, and your good advice has been incorporated???? Thanks broch Swerdna |
|
03-Dec-2006, 20:30
|
|||
|
|||
|
yes, that what I would do regarding tcp139/445
since w2k windows smb first look fr tcp445 and if not found tcp139. In contrast samba defaults to tcp139 followed by tcp445 (this makes more sense than windows) Because there is a lot of problems with windows, I would keep minimum ports open on windows box (closed or filtered or both), and doing so I would also close unused port on samba server. I am not sure about Vista but based on this: http://www.microsoft.com/technet/network/e...e/vista_fp.mspx Vista will behave the same way as w2k/xp |
|
03-Dec-2006, 21:36
|
|||
|
|||
|
Quote:
Swerdna |
|
08-Feb-2007, 17:54
|
|||
|
|||
|
Quote:
My reply is only vaguely connected to the thread on *this* page, but is pertinent to the topics of Samba, SOHO... A note: There's no such title in www.wikipedia.org as "SOHO LAN". I guess some will find useful to look up this link: http://safari5.bvdep.com/0130473316/pref01 ...and SuSEfirewall2 (Suse Firewall). BTW, I see Swerdna's been very active and put out lots of new stuff around last night or so (date in bottom... oh well, Ozzies get the sun to shine on them sooner then on us Europeans, let alone Americans): http://www.swerdna.net.au/linhowtosi...resconfig.html http://www.swerdna.net.au/linhowtosimplesh...ig_recipe1.html His tutoring style is clearly maturing. I was wondering: You young, are you? Forgive my inquisitiveness. Made quite some progress in matter of weeks! *********** OK. Your pages, along with much other stuff, helped me too. Samba is on, and on two subnets. And that's exactly where I'm stuck at. No routing, no nothing goes truly past between the two subnets. Quite a few times I started over with the brand official backup Suse Firewall copied onto grown inoperable /etc/sysconfig/SuSEfirewall2, such as: cp -i /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.sysconfig /etc/sysconfig/SuSEfirewall2 I'll be writing more... I hope they let people edit and re-edit their posts later... In the meantime, I hope the news and links above are useful in their own right. |
|
08-Feb-2007, 19:32
|
|||
|
|||
|
Quote:
 Quote:
and LAN , if not for "SOHO LAN"  But I think it would be wrong to depend too heavily on WikipediaIf you want to talk between two subnets as workgroups you need a wins server in each subnet, domain master, local masters etc, but I haven't researched the details myself. And then allow them through the firewalls using FW_TRUSTED_NETS in Sysconfig --> net --> firewall --> Susefirewall2. Yes I am indeed very young, and I have been that way for a very long time!  What about you? |
|
08-Feb-2007, 20:10
|
|||
|
|||
|
on the network should be only one WINS server
subnet A samba = master domain master = yes preferred master = yes local master = yes wins support = yes wins proxy = yes remote announce = x.x.x.255/workgrupA y.y.y.255/workgrupB remote browse sync = x.x.x.255 y.y.y.255 interfaces = x.x.x.255/255.255.255.0 y.y.y..255/255.255.255.0 os level = 255 any other samba on subnet A domain master = no preferred master = no local master = no wins support = no wins proxy = no wins server = ip_address_of_master os level 22 subnet B preferred master = yes local master = yes wins support =no wins proxy = no wins server = ip_address_of_master os level = 64 any other samba on subnet B preferred master = no local master = no wins support =no wins proxy = no wins server = ip_address_of_master os level = 22 you may add [global] lm announce = yes auto services = yes browse list = yes auto services = yes and ip_forward hope this will help |
|
09-Feb-2007, 07:50
|
|||
|
|||
|
[quote]
on the network should be only one WINS server subnet A ... interfaces = x.x.x.255/255.255.255.0 y.y.y..255/255.255.255.0 ... That must be a typo. It should read: interfaces = x.x.x.0/255.255.255.0 y.y.y..0/255.255.255.0 Broch and Swerdna, I am considering your suggestions in earnest. But, young at heart though I might feel, these things take me some amount of time to digest. I'll be one half century old later in 2007. I am now starting from scratch, firewall-wise. So I have right now reverted to the official backup as I wrote above and the /etc/sysconfig/SuSEfirewall2 is as on freshly installed system. I have also blanked all in Yast > Routing, as I noticed that I got some errors when I executed: SuSE10.2-ALi:/ # rcnetwork restart I also clicked "Restart All" in Swat, http://localhost:901/status Sure, I had to click on Samba Server... [[which I dont recommend either for all the conf'ing. I remember it asked me for password, which *it* didn't remeber... So till I figured Swat was OK with root/ root's passward, it took me restoring a backup or more...]] ...and just click on open port on firewall and Finish. I have checked and to make long story shorter, it's just that (these are entries, sure I replaced the private info) these two: xxxxxWG-seDSL 192.168.A.0 xxxxxWG-local 192.168.B.0 don't see each other. In my naming scheme, xxxxxWG is the Samba workgroup. xxxxxWG-seDSL is a local network DHCP arranged by fine-GPL'd (in very *fine* print, and out of sight in any regular use) Linux, yes, Linux system in a Siemens DSL/wireless/router model SE555 xxxxxWG-local 192.168.B.0 is a strictly local network on a cheap and maybe 3-years old 12x7x4cm router/switch /you name it (always worked fine). I can mount Samba shares from within A or B but not across A and B. I will now apply... what? No clear idea. Swerdna wrote: "f you want to talk between two subnets as workgroups you need a wins server in each subnet..." And this is in the core of the issue, actually, on my SOHO: Fro the subnets xxxxxWG-seDS (192.168.A.0/24) and xxxxxWG-local (192.168.B.0/24), or just A and B for short, I have only one Samba, and it's on the host that connects to A through eth0 and to B through eth1. And it has: wins support = Yes And the help clicked on from http://localhost:901/globals left from that option takes me to where it reads: This boolean controls if the nmbd(8) process in Samba will act as a WINS server. You should not set this to yes unless you have a multi-subnetted network and you wish a particular nmbd to be your WINS server. Note that you should NEVER set this to yes on more than one machine in your network. Another change: SuSE102-ALi:/ # grep TRUSTED /etc/sysconfig/SuSEfirewall2 FW_TRUSTED_NETS="192.168.B.0/24 192.168.A.0/24 192.168.B.0,icmp 192.168.A.0,icmp " Well, no change. Not worse, but same as before. Will be doing more research, like check routing, forwarding, use wireshark/ethereal, traceroute, iptables-save... Today. Then I'm off till Monday afternoon (Central European Time). So how old are you, Swerdna, and you Broch? |
|
| Bookmarks |
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
© 2007 Novell, Inc. All Rights Reserved.
This site uses the YAML CSS framework.
All times are GMT -6. The time now is 10:31.
About openSUSE | Disclaimers | Feedback
About openSUSE | Disclaimers | Feedback
